Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Getting Your Hands Dirty In the Fight on Malware, Part 2

Analyzing Outbound and Inbound Traffic, and Network Segmentation Can Help Protect Your Network, Even After It Has Been Compromised.

In my previous column I took a long look at modern malware with a focus on how to prevent malware from getting into your network in the first place. In case you missed it, you can read it here.

Analyzing Outbound and Inbound Traffic, and Network Segmentation Can Help Protect Your Network, Even After It Has Been Compromised.

In my previous column I took a long look at modern malware with a focus on how to prevent malware from getting into your network in the first place. In case you missed it, you can read it here.

While we all probably agree that prevention is the best medicine, it’s also foolhardy to believe that prevention alone will be enough to protect us. Whether coming from a non-network source such as a USB drive or simply from a clever attacker who finds a weakness, we have to assume that eventually our networks will be compromised if they haven’t already.

Combating MalwareThat statement alone is enough to make many security professionals (and their management) a bit prickly, which is certainly understandable. We commit precious time, money and professional effort to defend against threats, and simply presuming that our defenses have been compromised can feel like all that work has been for naught. This is not the case at all.

Assuming that we aren’t compromised just plays into the attackers hands. What we need is to extend the security we have to bring protection to the soft parts of our network that attackers are targeting. Malware and targeted attacks rely on the assumption that if they can get inside the perimeter, that they can build a foothold and dig deeper with less worry of detection. But just because someone is able to break into a bank doesn’t mean that we should just let them walk out with the money. So in that spirit, let’s pick up where we left off and take a look at some of the practical tools and techniques that we can use to identify and stop live malware infections in our networks.

Looking Inward

Traditional enterprise networks have often been described has “hard, crunchy shells with soft, gooey centers”. This refers to the tendency for the external perimeter to be heavily fortified from outside threats, while internal users, traffic and assets tend to be trusted. Attackers have used malware to crack this model and shift the security battle to the inside of the network where security measures are sparse.

While this has been a recognized problem for quite some time, we are finally beginning to see new proposed security architectures that address the problem. Analysts such as Forrester’s John Kindervag have begun to push the notion of the “Zero-Trust Network” (video) where all traffic, including internal traffic is passed through a “segmentation gateway” for analysis. And although many of us may not be able to adopt such a consistently segmented model overnight, there are practical steps that most any enterprise can take today.

The first step is to expand our best threat and application analysis to include outbound traffic as well as inbound traffic. The ongoing command and control traffic is the life-blood of modern malware, and the infection is only the first step in an intrusion that will likely cross our perimeter many times. Given that the malware traffic is flowing in both directions, our defenses should certainly be looking in both directions as well.

Advertisement. Scroll to continue reading.

Segmenting NetworksSecondly, we should begin segmenting the internal network. A flat, un-segmented network is the hacker’s delight – if you own one machine, you can own the entire network. The network and assets can often be segmented on the basis of application, user and content types. For example, a policy could dictate that only finance managers are allowed to access the database that houses financial data and they can only allow SQL to do so, while all other traffic is denied by default. This not only segments the network based on need, but logs of blocked connections can indicate when someone is trying to get into sensitive assets. And while this is an admittedly simple example, the general process of understanding who needs access to what information, and what application they should use to access it, can be applied to virtually any environment.

Another option is to begin segmenting assets that attackers commonly target for escalation such as domain controllers, email servers or any asset where user identity is managed. These are common targets once an attacker is inside the network because it can allow the attacker to escalate from a low-profile user identity, with relative few network rights, to a far more powerful user role such as a network admin. Unlike our earlier example, the goal here is not to deny access (people need their email), but rather to establish highly granular logging and reporting to identify an intruder that may be skulking around. For example, ping sweeps, or an unusual spike in failed login attempts, or newly created admin accounts should be cause for alarm.

The end goal is to make our networks less flat with better internal controls so that we can get rid of that soft gooey center.

In my next piece, I will cover off on what to look for, now that we are looking in the right places, and how we can often detect telltale signs of malware infections.

Related Reading: Getting Your Hands Dirty in the Fight on Modern Malware, Part 1

Related Reading: An Introduction to Modern Malware 

Related Reading: Using Network Segmentation to Protect the Modern Enterprise Network

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.